Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops in 20 seconds

9,295 views

Published on

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.

I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Published in: Technology
  • Be the first to comment

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops in 20 seconds

  1. 1. Bypass firewalls, application white lists, secure remote desktops in 20 seconds Zoltan Balazs DEF CON 22, 2014
  2. 2. root@kali:~# whoami Zoltán Balázs
  3. 3. root@kali:~# whoami
  4. 4. root@kali:~# whoami AV testing AVbypass
  5. 5. root@kali:~# whoami OSCP: Occasional Satire Captain Punk CISSP: Certified Interspecie-ialSheep Shearing Professional CPTS: Certified Pajama Toaster Specialist MCP: Microsoft Certified Psychopath OSWP: Official Sexiest Weasel Popstar CHFI: Chronic Hopeless Flux Incompetent I’mNOT a CEH CyberLympics@2012 CTF 2nd runnersup–gula.sh Creatorof theZombieBrowser Toolkit https://github.com/Z6543/ZombieBrowserPack
  6. 6. Hungary
  7. 7. I love hacking
  8. 8. How do you hack high security systems?
  9. 9. How do you hack high security systems when you are not Tom Cruise?
  10. 10. The mission I’m a spy(with low budget) I want access to a hardened secure RDP (remote desktop) server E.g. server contains confidential documents I need persistent C&C access to the RDP server To upload/download files Interactive remote code execution
  11. 11. The solution (in an ideal world) Infected workstation Secure remote desktop server 1. Infect client’s desktop 2. Steal RDP password 3. Connect to RDP 4. Drop malware 5. Command and Control 6. Profit
  12. 12. The challenges RDP server is not reachable from the Internet Directly … Two factor authentication is used to access the RDP server No access to the token seeds ;) Drive mapping disabled – no direct file copy Restrictive hardware firewall Allows workstation -> server TCP port 3389 IPv4 only Application white list is used on the RDP server M$ Applocker in my case with default policy Firewall, port 3389 allowed only
  13. 13. Is this realistic? Similar environment at a client •Had no time to hack it
  14. 14. Infected workstationSecure remote desktop serverTarget CompanyThe InternetAttackerFirewall, port 3389 allowed only
  15. 15. “In hacking, there is no such thing as impossible. Only things that are more challenging.”
  16. 16. Alreadyachieved I have remote code execution with C&C on a user’s workstation I have access to a test RDP server I know how the files on the server look like, what services are installed This is Spartaaaapost-exploitation
  17. 17. Why should you care about this? Red team/pentester •New tools Blue team •New things to look for during log analysis/incident response Policy maker/business •Funny pictures
  18. 18. Divideet impera! Dividetheproblemintosmallerpiecesand rulethemall, onebyone 1.dropmalwareintotheRDP server 2.executeanycodeonRDP server 3.elevatetoadminprivileges 4.bypasshardwarefirewall
  19. 19. Divideet impera! Dividetheproblemintosmallerpiecesand rulethemall, onebyone 1.dropmalwareintotheRDP server –> newshinytool 2.executeanycodeonRDP server –> nothingnewhere 3.elevatetoadminprivileges–> nothingnew, no 0day foryou 4.bypasshardwarefirewall-> newshinytool
  20. 20. 1. Drop malware into RDP server
  21. 21. 1. DropmalwareintoRDP server Malware waits for the user to connect to RDP server Createsscreenshot(or new animation), show in foreground Optionallyblocksuser keyboard, mouse ~20 seconds Usesthekeyboardand theclipboard–simulates user 1.StartsM$ Wordon RDP server 2.Dropsencoded ASCII payload 3.CreatesMacrocode 4.Macrowritesbinary 5.Macro starts binaries
  22. 22. Alternative usage of “user simulator” 1.Add directory to be excluded from AV scans use the AV GUI! only if the user has the privileges and no UAC 2.Install new trusted root certification authority and accept warning –and MiTMSSL connections CA pinning does not stop this attack The AV is alive. Nope, Chuck Testa™
  23. 23. 2. What is Applocker?
  24. 24. 2. Executeanycode, bypassApplocker „AppLockercan only control VBScript, JScript, .bat files, .cmdfiles and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Applications could contain flagsthat are passed to functions that signal AppLockertocircumvent the rulesand allow another .exe or .dll file to be loaded. The administratoron the local computer can modify the AppLockerpolicies defined in the local GPO.”
  25. 25. Executeanycode, bypassApplocker Load DLL withWord Macro! Even shellcodeexecution is possible! http://blog.didierstevens.com/2008/06/05/bpmtk- how-about-srp-whitelists/ Private Declare PtrSafeFunction LoadLibraryLib "kernel32" Alias "LoadLibraryA" (ByVallpLibFileNameAs String) As Long hLibrary= LoadLibrary(outputdir+ "hack_service.dll")
  26. 26. 3. Elevatetoadmin
  27. 27. 3. Elevatetoadmin Why do I need admin? •It is needed for the last phase, hardware firewall bypass Possibilities •Local privesc zero day for Win 2012 •Exploit unpatched vulnerability •Exploit vulnerable 3rdparty program service •Etc. Processes started with admin (or higher) privileges are not restricted by AppLocker!
  28. 28. Elevatetoadmin-Service exploit C:> accesschk.exe–l mvulnservice.exe [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITYTERMINAL SERVER USER FILE_APPEND_DATA FILE_EXECUTE FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA FILE_WRITE_ATTRIBUTES FILE_WRITE_DATA FILE_WRITE_EA SYNCHRONIZE READ_CONTROLs C:> scsdshowmyvulnservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRCRPWP;;;IU)(A;;CCLCSWLOCRRC;;;SU)
  29. 29. Elevatetoadmin-Service exploit C:> accesschk.exe–l mvulnservice.exe [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITYTERMINAL SERVER USER FILE_APPEND_DATA FILE_EXECUTE FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA FILE_WRITE_ATTRIBUTES FILE_WRITE_DATA FILE_WRITE_EA SYNCHRONIZE READ_CONTROLs C:> scsdshowmyvulnservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRCRPWP;;;IU)(A;;CCLCSWLOCRRC;;;SU) Allow Service start Service stop Interactivelyloggedonuser
  30. 30. Quiz
  31. 31. Quiz What’s the name of the company which published the first paper about packet filter firewalls in 1988?
  32. 32. Quiz What’s the name of the company which published the first paper about packet filter firewalls in 1988? The company developed VAX
  33. 33. Quiz What’s the name of the company which published the first paper about packet filter firewalls in 1988? Digital Equipment Corporation
  34. 34. 4. Bypass hardware firewall Restrictive firewall •No Bind shell •No Reverse shell •No covert channel •DNS, ICMP, IPv6, UDP, proxy •No shell!!! In a different scenario •TCP socket reuse shell possible (not persistent) •Webshell(lame) possible •But not in this case (no exploit, no webserver)
  35. 35. 4. Bypass hardware firewall First (bad) idea After malware dropped, mark every packet to be special •start with magic bytes and let akernel network filter driver select the packets Problem •Every (hacker) application has to be rewritten, or rerouted through a custom wrapper proxy (both server and client side)
  36. 36. Bypass HW firewall –second idea Use TCP source port! •E.g. port 1337 is always special Limitations •NAT from the attacker side •But who cares? 
  37. 37. Bypassing hardware firewallsLinux UsecodeatKernel level(withroot) if ((tcp_source_port === 1337) && (tcp_dest_port === 22)) then: redirect to bind shellon port 31337 iptables-t nat-A PREROUTING -p tcp--dport22-- sport 1337-j REDIRECT --to-ports 31337
  38. 38. Attacker or infected workstationFirewall, port 3389 allowed onlySecure remote desktop serverSrc port 1337Dst port 3389Dst port 3389Dst port 31337
  39. 39. Bypassing hardware firewalls on Windows x64 Installing a kernel driver in Windows x64 is not trivial •Trusted signed driver is needed Thanks to basil for WinDivertproject (and Nemea Software Development) •Trusted signed kernel driver already included! •You can interface with the kernel driver Alternatively, patchguardbypass could be used http://www.codeproject.com/Articles/28318/Bypassing- PatchGuard Uroburosrootkit –Bring Your Own Vuln Install root CA first with user simulator ;)
  40. 40. How to set TCP source port for meterpreterbind shell (or any program)? Netcat(Nmapbuild) to da rescue! ncat-kl 4444 -c "ncat-p 1337 RDP.SER.VER.IP 3389"
  41. 41. Demo
  42. 42. Alternative usage of “hwfwbypass” You have admin on webserver but persistent outbound C&C is blocked Instead of local port forward, use netcatto port forward to other machines in the DMZ Backdoor traffic to hide your communication inside the legit network traffic
  43. 43. The solution–as a whole Malware waits for the user to login to RDP with 2FA Create screenshot from user desktop Put screenshot on the screen Disable keyboard/mouse Drop malware by simulating user keyboard events + clipboard for large (ASCII) data transfer Start WORD, create new macro code Bypass application whitelist using DLL loading from Word macro code
  44. 44. The solution Escalate privileges to admin (vulnerable service) Install hwfwbypass.exe with kernel driver Dropmeterpreter Profit!
  45. 45. Demo
  46. 46. Demo 2 –as seen by the user
  47. 47. Lessons learned for red team You have twonew tools for your post exploitation •tool to drop malware into the remote desktop •If you have admin on a Windows server, you can bypass/fool hardware firewalls using my driver
  48. 48. Lessons learned for the blue team Every additional layer of security can still be bypassed Restricted remote desktop is a real interface for malware infection Use application/protocol aware (NG) firewall instead of port based ones Can be bypassed ;) Don’t trust your firewall logs blindly
  49. 49. Code release now?
  50. 50. References http://reqrypt.org/windivert.html http://inputsimulator.codeplex.com/-modified http://www.blackhat.com/presentations/bh-usa-06/BH- US-06-Tereshkin.pdf http://blog.didierstevens.com/2011/01/24/circumventing- srp-and-applocker-by-design/ http://www.room362.com/blog/2014/01/16/application- whitelist-bypass-using-ieexec-dot-exe http://leastprivilege.blogspot.fr/2013/04/bypass- applocker-by-loading-dlls-from.html?m=1https://www.mandiant.com/blog/hikit-rootkit-advanced- persistent-attack-techniques-part-2/
  51. 51. one more thing …
  52. 52. two more things … User simulator available as Metasploitpost module HW FW bypass available as Metasploitpost module
  53. 53. Hack The Planet! https://github.com/MRGEffitas/Write-into-screen https://github.com/MRGEffitas/hwfwbypasszoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter–@zh4ck www.slideshare.net/bz98 Greetz to @CrySySLab, @hekkcamp JumpESPJump.blogspot.com

×